When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.
View on MITREThe program could wind up using the wrong number and generate incorrect results. If the number is used to allocate resources or make a security decision, then this could introduce a vulnerability.
Avoid making conversion between numeric types. Always check for the allowed ranges.
No detection method information available for this CWE.
In the following Java example, a float literal is cast to an integer, thus causing a loss of precision.
This code adds a float and an integer together, casting the result to an integer.
Normally, PHP will preserve the precision of this operation, making $result = 4.8345. After the cast to int, it is reasonable to expect PHP to follow rounding convention and set $result = 5. However, the explicit cast to int always rounds DOWN, so the final value of $result is 4. This behavior may have unintended consequences.
In this example the variable amount can hold a negative value when it is returned. Because the function is declared to return an unsigned int, amount will be implicitly converted to unsigned.
If the error condition in the code above is met, then the return value of readdata() will be 4,294,967,295 on a system that uses 32-bit integers.
In this example, depending on the return value of accecssmainframe(), the variable amount can hold a negative value when it is returned. Because the function is declared to return an unsigned value, amount will be implicitly cast to an unsigned number.
If the return value of accessmainframe() is -1, then the return value of readdata() will be 4,294,967,295 on a system that uses 32-bit integers.
Chain: integer coercion error (CWE-192) prevents a return value from indicating an error, leading to out-of-bounds write (CWE-787)
View DetailsChain: in a web browser, an unsigned 64-bit integer is forcibly cast to a 32-bit integer (CWE-681) and potentially leading to an integer overflow (CWE-190). If an integer overflow occurs, this can cause heap memory corruption (CWE-122)
View DetailsChain: integer signedness error (CWE-195) passes signed comparison, leading to heap overflow (CWE-122)
View DetailsChain: signed short width value in image processor is sign extended during conversion to unsigned int, which leads to integer overflow and heap-based buffer overflow.
View DetailsSize of a particular type changes for 64-bit platforms, leading to an integer truncation in document processor causes incorrect index to be generated.
View DetailsNo relationship information available for this CWE.
CWE-681: Incorrect Conversion between Numeric Types is a Common Weakness Enumeration (CWE) entry maintained by MITRE. When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.
If exploited, CWE-681 (Incorrect Conversion between Numeric Types) it can compromise Other and Integrity, leading to outcomes such as Unexpected State and Quality Degradation.
Recommended mitigations for CWE-681 include: Avoid making conversion between numeric types. Always check for the allowed ranges.
CWE-681 commonly affects C and Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
MITRE documents real CVEs mapped to CWE-681, including CVE-2022-2639, CVE-2021-43537, CVE-2007-4268, CVE-2007-4988 and CVE-2009-0231. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-681 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.